A Tor relay operators IPv6 HOWTO

In Oct 2012, support for clients connecting to relays as well as relays publishing IPv6 addresses and accepting clients connecting over IPv6 had been implemented. As of Jan 2013, there is also support for exiting to IPv6 destinations. See Tor on IPv6 road map for more detailed information about which versions of Tor that support different aspects of Tor on IPv6.

1 Relays on IPv6

Assuming that you already have an ordinary IPv4 relay up and running, this is how to make it an IPv6 relay.

The way you make your relay bind to and publish an IPv6 OR port is to add another ORPort config option to your torrc file. You can keep your IPv4 ORPort option as is.

For the time being you need to configure your numeric IPv6 address explicitly within square brackets1, like so:

ORPort [2001:DB8::1]:9050

Clients use IPv4 and IPv6 ORPorts (because they are more anonymous2). Relays use IPv4 DirPorts and IPv4 ORPorts. So there is no reason to configure an IPv6 DirPort - if you do, it won't be published in your descriptor, and it will never be used by other tors to download directory documents.

If your relay becomes a Guard, a small number of clients will use its IPv6 ORPort.

There is currently no way of running an IPv6 only relay4. Your relay will have to publish both an IPv4 and an IPv6 OR port. This limitation will go away but note that your relay will need to be able to make outgoing IPv4 connections for a foreseeable future.

The OutboundBindAddress config option can be set to make Tor use a specific source address for outbound connections. This can be useful if your host has more than one IPv6 address. This option can be used twice, once per address family. Enclose an IPv6 address in square brackets.

After making changes to the torrc file, a restart of Tor is recommended. Some reconfiguration is done properly when Tor is sent a HUP signal while other is not. Please note that you won't get a warning about your OR port not being reachable if it isn't5. It may take some time (more than 24h) for the directory authorities to confirm your relay is reachable over ipv6 and flag it as ReachableIPv6.

1.1 Ordinary relays

The IPv6 OR port of an ordinary relay should show in the consensus as an "a" line. For example:

a [2001:DB8::1]:9030

In order to be able to exit to IPv6 addresses, exit relays must set

IPv6Exit 1

If you don't want to exit to IPv6, please set the exit policy for IPv6 to reject all exiting to IPv6 addresses:

ExitPolicy reject6 *:*

1.2 Bridges

A bridge relay with an IPv6 OR port will be distributed by the Bridge DB. The part of IPv6 bridges ending up in the "http pool" are accessed through

2 Authoritative directory specifics

The AuthDirHasIPv6Connectivity config option is used to make an authoritative directory require successful reachability testing of IPv6 OR ports to consider voting for them (or simply publish them, in the case of a bridge authority).

Note that authorities, directory as well as bridge, do not yet make full use of IPv66. Specifically, there is no way to make an authority export any of its authority-specific functions over IPv6 -- an authority can not vote over IPv6, and more.

3 Client behaviour

A few notes on how clients behave. Might be useful for testing your relays.

As long as the number of public relays publishing an IPv6 address is low we want to protect users from accidentally using them. Configuration options:

  • ClientUseIPv6 1 (default 0) for IPv6-only clients or
  • ClientUseIPv4 0 (default 1) for dual-stack (IPv4/IPv6) clients

need to be set in order for a client to pick an IPv6 address for a directory or entry relay.

For dual-stack clients (ClientUseIPv6 1), setting ClientPreferIPv6ORPort 1 might be good in order to increase the chance of a client picking an IPv6 OR port.

(The option ClientUseIPv4 was introduced in Older clients should use ClientUseIPv6 1 and ClientPreferIPv6ORPort 1.)

Note that clients running with bridges do not need to set any IPv6 specific configuration options in order to connect to bridges over IPv6. Putting an IPv6 address in a !Bridge option is enough.


1: #5940: Figure out own IPv6 address

2: #18483: Clients should always tunnel connections, and never fall back to a DirPort

3: #18394: Allow relays to have an IPv6 DirPort on the same port as the IPv4 DirPort (wontfix)

4: #5788: Add support for relays without an IPv4 address

5: #6939: Missing log entry for IPv6 ORPort reachability check

6: #6027: Directory authorities on IPv6 (closed as duplicate, project completed)

Last modified 7 months ago Last modified on Apr 7, 2020, 9:43:59 PM